Debian Long Term Support / LTS Security Information / 2018 / Security Information -- DLA-1480-1 ruby2.1

Debian Security Advisory

DLA-1480-1 ruby2.1 -- LTS security update

Date Reported:

27 Aug 2018

Affected Packages:

ruby2.1

Vulnerable:

Yes

Security database references:

In the Debian bugtracking system: Bug 895778, Bug 851161.
In Mitre's CVE dictionary: CVE-2016-2337, CVE-2018-1000073, CVE-2018-1000074.

More information:

Several vulnerabilities were discovered in Ruby 2.1.

• CVE-2016-2337

  Type confusion exists in _cancel_eval Ruby's TclTkIp class method. Attacker passing different type of object than String as retval argument can cause arbitrary code execution.

• CVE-2018-1000073

  RubyGems contains a Directory Traversal vulnerability in install_location function of package.rb that can result in path traversal when writing to a symlinked basedir outside of the root.

• CVE-2018-1000074

  RubyGems contains a Deserialization of Untrusted Data vulnerability in owner command that can result in code execution. This attack appear to be exploitable via victim must run the gem owner command on a gem with a specially crafted YAML file.

For Debian 8 Jessie, these problems have been fixed in version 2.1.5-2+deb8u5.

We recommend that you upgrade your ruby2.1 packages.

Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS